(cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:2)(cid:2)(cid:9)(cid:10)(cid:7)(cid:11)(cid:12)(cid:7)(cid:3)(cid:4)(cid:5)(cid:7)(cid:13)(cid:11)(cid:10)(cid:14)(cid:15)(cid:16)(cid:17)(cid:7)(cid:18)(cid:6)(cid:5)(cid:10)(cid:10)(cid:7)(cid:10)(cid:5)(cid:6)(cid:11)(cid:5)(cid:10) (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9)(cid:10)(cid:11)(cid:12)(cid:13)(cid:14)(cid:15)(cid:16)(cid:9)(cid:17)(cid:18)(cid:6)(cid:19)(cid:20)(cid:9)(cid:21)(cid:22)(cid:9)(cid:21)(cid:23)(cid:20)(cid:9)(cid:13)(cid:11)(cid:12)(cid:12)(cid:24)(cid:16)(cid:25)(cid:11)(cid:12)(cid:12)(cid:26)(cid:24)(cid:16)(cid:9)(cid:13)(cid:27)(cid:28)(cid:16)(cid:9)(cid:9) (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9)(cid:10)(cid:8)(cid:11)(cid:12)(cid:13)(cid:14)(cid:5)(cid:15)(cid:16)(cid:8)(cid:17)(cid:7)(cid:12)(cid:14)(cid:5)(cid:4) (cid:18)(cid:19)(cid:20)(cid:21)(cid:22)(cid:8)(cid:23)(cid:24)(cid:25)(cid:26)(cid:27)(cid:28)(cid:24)(cid:29)(cid:29)(cid:27)(cid:26)(cid:24)(cid:30) (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9)(cid:10)(cid:11)(cid:12)(cid:13)(cid:14)(cid:15)(cid:16)(cid:9)(cid:17)(cid:18)(cid:6)(cid:19)(cid:20)(cid:9)(cid:21)(cid:22)(cid:9)(cid:21)(cid:23)(cid:20)(cid:9)(cid:13)(cid:11)(cid:12)(cid:12)(cid:24)(cid:16)(cid:9)(cid:13)(cid:27)(cid:28)(cid:16)(cid:29)(cid:9)(cid:19)(cid:31) (cid:5)(cid:15)(cid:7)(cid:8)(cid:17)(cid:7)(cid:12)(cid:14)(cid:12)(cid:5)(cid:15) (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9)(cid:10)(cid:8)(cid:11)(cid:12)(cid:13)(cid:14)(cid:5)(cid:15)(cid:16)(cid:8)(cid:17)(cid:7)(cid:12)(cid:14)(cid:5)(cid:4) (cid:18)(cid:19)(cid:20)(cid:21)(cid:22)(cid:8)(cid:23)(cid:24)(cid:25)(cid:26)(cid:27)(cid:28)(cid:24)(cid:29)(cid:27)(cid:30)(cid:27)(cid:24)(cid:26) (cid:13)(cid:11)(cid:12)(cid:2)(cid:9)(cid:30)(cid:20)(cid:7)(cid:19)(cid:20)(cid:31) (cid:23)(cid:6)!"(cid:9)# (cid:20)$(cid:21)(cid:6)(cid:7)(cid:8)(cid:9)(cid:24)(cid:31)(cid:6)$(cid:5)(cid:6)!(cid:8)(cid:20) (cid:9)(cid:3)(cid:22)(cid:31)(cid:9)(cid:12)(cid:18)(cid:5)(cid:5)(cid:20) (cid:11)(cid:5)(cid:7)(cid:7)(cid:8)(cid:9)(cid:12)(cid:14)!"(cid:31)(cid:4)(cid:3)(cid:6)(cid:7)(cid:8)(cid:3)(cid:15)(cid:7)(cid:8)#(cid:12) $(cid:12)(cid:8)%(cid:4)(cid:3)&’(cid:31)(cid:16)(cid:8)(cid:17)(cid:7)(cid:12)(cid:14)(cid:5)(cid:4)’ (cid:18)(cid:19)(cid:20)(cid:21)(cid:22)(cid:8)(cid:29)(cid:24)(cid:28)(cid:25)(cid:27)(cid:26)(cid:24)((cid:27)(cid:25)(cid:26)(cid:24)) (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9)(cid:10)(cid:11)(cid:12)(cid:13)(cid:14)(cid:15)(cid:16)(cid:9)(cid:17)(cid:18)(cid:6)(cid:19)(cid:20)(cid:9)(cid:21)(cid:22)(cid:9)(cid:21)(cid:23)(cid:20)(cid:9)(cid:12)(cid:12)(cid:13)(cid:24)(cid:16)(cid:9)(cid:13)(cid:27)(cid:28)(cid:16)(cid:9) *(cid:12)(cid:3)(cid:15)(cid:3)(cid:24)+,(cid:15)(cid:15)(cid:8)-(cid:5)(cid:15)(cid:14)(cid:31)’(cid:14)(cid:12)(cid:16)(cid:8)*(cid:5)&"(cid:6)(cid:3)’(cid:8).(cid:15)(cid:7)(cid:4)(cid:31)(cid:16)(cid:8)(cid:17)(cid:4)(cid:12) (cid:8)/(cid:3)01(cid:12)$(cid:16)(cid:8) 2(cid:3)&(cid:6)(cid:8).(cid:10)(cid:8)(cid:2)(cid:31)(cid:15)(cid:4),(cid:16)(cid:8)(cid:3)(cid:15)(cid:7)(cid:8)(cid:20)(cid:5)(cid:15)(cid:15)(cid:12)(cid:31)(cid:8).(cid:10)(cid:8)3(cid:5)(cid:12)(cid:15)’ (cid:18)(cid:19)(cid:20)(cid:21)(cid:22)(cid:8)(cid:29)(cid:24)(cid:28)(cid:25)(cid:27)(cid:26)(cid:24)4(((cid:25)(cid:24)(cid:23) (cid:27)(cid:18)(cid:6)(cid:8)(cid:19)(cid:6)$%(cid:9)(cid:7)$(cid:19)(cid:9)(cid:11)&!(cid:8)(cid:20)&(cid:20)$(cid:21)(cid:6)$%(cid:9)(cid:7)(cid:9)(cid:12)(cid:20)(cid:5)(cid:18)(cid:31)(cid:6)(cid:21)’(cid:9)(cid:13)(cid:20)(cid:31)(cid:21)(cid:6)(cid:4)(cid:5)(cid:7)(cid:21)(cid:6)(cid:22)$(cid:9)(cid:7)$(cid:19)(cid:9)(cid:26)(cid:5)(cid:5)(cid:31)(cid:20)(cid:19)(cid:6)(cid:21)(cid:7)(cid:21)(cid:6)(cid:22)$(cid:9) (cid:24)(cid:31)(cid:22)%(cid:31)(cid:7)&"(cid:9)(cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9)(cid:10)(cid:11)(cid:12)(cid:13)(cid:14)(cid:15)(cid:16)(cid:9)(cid:17)(cid:18)(cid:6)(cid:19)(cid:20)(cid:9)(cid:21)(cid:22)(cid:9)(cid:21)(cid:23)(cid:20)(cid:9)(cid:13)(cid:26)(cid:24)(cid:16)(cid:9)(cid:13)(cid:27)(cid:28)(cid:16) 2(cid:3)(cid:14)(cid:4)(cid:12) $(cid:8)*(cid:10)(cid:8)(cid:2)(cid:5)5(cid:3)(cid:4)(cid:7) (cid:18)(cid:19)(cid:20)(cid:21)(cid:22)(cid:8)(cid:29)(cid:24)(cid:28)(cid:25)(cid:27)(cid:26)(cid:24)4(cid:29)64(cid:24)(cid:26) (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:7)(cid:8)(cid:9)(cid:10)(cid:11)(cid:12)(cid:13)(cid:14)(cid:15)(cid:16)(cid:9)(cid:17)(cid:18)(cid:6)(cid:19)(cid:20)(cid:9)(cid:21)(cid:22)(cid:9)(cid:21)(cid:23)(cid:20)(cid:9)(cid:13)(cid:11)(cid:12)(cid:12)(cid:24)(cid:16)(cid:25)(cid:11)(cid:12)(cid:12)#(cid:24)(cid:16)(cid:9)(cid:13)(cid:27)(cid:28)(cid:16)(cid:9) (cid:19)&’(cid:3)(cid:15)(cid:8)(cid:2)(cid:3)(cid:15)’ 7(cid:31) (cid:18)(cid:19)(cid:20)(cid:21)(cid:22)(cid:8)(cid:29)(cid:24)(cid:28)(cid:25)(cid:27)(cid:26)(cid:24)4(cid:26)(cid:25)(cid:23)(cid:24)) (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:3)(cid:7)(cid:8)(cid:9)(cid:7) (cid:10)(cid:11)(cid:12)(cid:13)(cid:14)(cid:3)(cid:7)(cid:15)(cid:16)(cid:7)(cid:17)(cid:4)(cid:18)(cid:5)(cid:13)(cid:19)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24)(cid:25)(cid:22)(cid:23)(cid:23)(cid:26)(cid:24)(cid:20)(cid:7)(cid:22)(cid:23)(cid:23)(cid:27)(cid:24) (cid:21)(cid:13)(cid:19)(cid:5)(cid:12)(cid:4)(cid:8)(cid:28)(cid:5)(cid:13)(cid:12)(cid:29) (cid:24)(cid:11)(cid:28)(cid:14)(cid:7)(cid:30)(cid:11)(cid:31)(cid:6)(cid:12)(cid:20)(cid:7)(cid:24) (cid:16)!(cid:16)(cid:20)(cid:7)(cid:21)(cid:24)(cid:24)(cid:7)"(cid:7)(cid:23)(cid:5)(cid:6)(cid:18) (cid:6)(cid:19)(cid:7)(cid:15)(cid:12)(cid:4)(cid:6)(cid:3)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24) (cid:27)(cid:4)#(cid:31)(cid:4)(cid:7)$(cid:12)(cid:11)(cid:28)(cid:29)(cid:6)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24)(cid:7)"(cid:7)(cid:17)(cid:9)(cid:29)(cid:13)(cid:19)(cid:7)(cid:27)(cid:11)#(cid:11)(cid:28)(cid:14)(cid:11)(cid:9)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24) %(cid:11)(cid:12)(cid:9)(cid:7)(cid:27)#(cid:22)(cid:19)(cid:5)(cid:9)(cid:12)(cid:6)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24)(cid:7)"(cid:7)$(cid:6)(cid:14)(cid:14)(cid:6)(cid:9)(cid:7)&(cid:31)(cid:13)(cid:14)(cid:4)(cid:5)(cid:11)(cid:20)(cid:7)(cid:27)(cid:30)(cid:21)(cid:24) $(cid:6)(cid:4)(cid:5) (cid:7)(cid:24)(cid:11)(cid:29)(cid:14)(cid:6)(cid:9)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24)(cid:7)"(cid:7)(cid:27)(cid:11)(cid:12)#(cid:28)(cid:29)(cid:7)$(cid:16)(cid:7)’(cid:13)((cid:6)(cid:12)(cid:29)(cid:20)(cid:7)(cid:24) (cid:16)!(cid:16)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24) $(cid:6)(cid:19)(cid:7)(cid:27)(cid:16)(cid:7)(cid:23) (cid:11)(cid:28)(cid:12)(cid:6)(cid:5)(cid:5)(cid:6)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24)(cid:7)"(cid:7)’(cid:13)(cid:8)(cid:6)(cid:12)(cid:5)(cid:7)(cid:27)(cid:16)(cid:7)(cid:23)(cid:14)(cid:11)(cid:3)(cid:6)(cid:20)(cid:7)(cid:21)(cid:22)(cid:23)(cid:23)(cid:24) Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH BOOK CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2010 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20140808 International Standard Book Number-13: 978-1-4398-0960-0 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit- ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Foreword .......................................................................................................vii Introduction ...................................................................................................xi Editor ..........................................................................................................xvii Contributors .................................................................................................xix 1 Access Control ........................................................................................1 JAMES S. TILLER, CISSP; REVISED BY STEPHEN FRIED, CISSP 2 Application Security ...........................................................................157 ROBERT M. SLADE, CISSP 3 Business Continuity and Disaster Recovery Planning .......................261 KELLEY OKOLITA, MBCP 4 Cryptography .....................................................................................309 KEVIN HENRY, CISSP; REVISED BY KEITH PASLEY, CISSP, CISA, ITIL, GSNA 5 Information Security Governance and Risk Management .................401 TODD FITZGERALD, CISSP, BONNIE GOINS, CISSP, AND REBECCA HEROLD, CISSP; REVISED BY KEN M. SHAURETTE, CISSP 6 Legal, Regulations, Investigations, and Compliance .........................503 MARCUS K. ROGERS, PH.D., CISSP, CCCI-ADVANCED 7 Operations Security ............................................................................539 GARY MCINTYRE, CISSP 8 Physical and Environmental Security ................................................579 PAUL BAKER, PH.D., CPP 9 Security Architecture and Design ......................................................667 GARY MCINTYRE, CISSP AND MICKI KRAUSE, CISSP v vi ◾ Contents 10 Telecommunications and Network Security ......................................731 ALEC BASS, CISSP AND PETER BERLICH, CISSP-ISSMP; REVISED BY TYSON MACAULAY, CISSP Appendix Answers to Practice Questions .................................................853 Index ...........................................................................................................913 Foreword Foreword to CBK Study Guide 2009 In today’s connected world, business, government, and consumers all want the ability to access information, communicate, and execute transactions immediately with the assurance of real-world security. However, every advance in connectivity and convenience also brings new threats to privacy and security in the global virtual environment. Th at’s why information security has become critical to mitigating risks that can destroy a company’s reputation, violate a consumer’s privacy, compromise intellectual property, and, in some cases, endanger lives. Most organizations now understand that technology alone cannot secure their data. In ever-increasing numbers, they are seeking seasoned professionals who can create and implement a comprehensive information security program, obtain sup- port and funding for the program, and make every employee a security-conscious citizen, all while meeting necessary regulatory standards. Educating and certifying the knowledge and experience of information security professionals has been the mission of the International Information Systems Security Certifi cation Consortium [(ISC)2] since its inception. Formed in 1989 by multiple IT associations to develop an accepted industry standard for the practice of information security, (ISC)2 created the fi rst and only CBK, a continuously updated compendium of knowledge areas critical to being a pro- fessional. (ISC)2 has certifi ed security professionals and practitioners in more than 130 countries across the globe. It is the largest body of information security professionals in the world. Information security only continues to grow in size and signifi cance and has become a business imperative for organizations of all sizes. With the increasing importance of security, educated, qualifi ed, and experienced information security professionals are viewed as the answer to an organization’s security challenges. Responsibilities are increasing as well—information security professionals are under increasing pressure to secure not only the perimeter of the organization, but all the data and systems within the organization. Whether researching new tech- nologies or implementing information risk management initiatives, information vii viii ◾ Foreword security professionals are being held to even more stringent standards than ever before and the need for specialized training continues to increase. To ensure that professionals meet these high standards, (ISC)2 off ers a suite of information security education materials, certifi cations, and concentrations that cover each discipline within the information security fi eld, whether it is planning, design, execution, or management. Although requirements vary from certifi cation to certifi cation, such as minimum number of years of relevant work experience and areas of domain knowledge, all candidates applying for (ISC)2 certifi cations must pass a rigorous exam, be endorsed by a current (ISC)2 credential holder (member), adhere to the (ISC)2 Code of Ethics, and obtain annual continuing professional education credits to maintain certifi cation. (ISC)2’s certifi cations are vendor-neutral, which means they are not tied to a specifi c vendor or product, but instead encompass a broad scope of knowledge. Th ese certifi cations provide organizations with the assurance that its staff has been tested on understanding industry best practices, possessing a broad knowledge of the fi eld, and demonstrating sound professional judgment. (ISC)2’s core credentials are accredited by the International Organization for Standardizations (ISO) United States representative, the American National Standards Institute (ANSI) under ANSI/ISO/IEC Standard 17024, a national and global benchmark for the certifi cation of personnel. In fact, the Certifi ed Information Systems Security Professional (CISSP) certifi cation was the fi rst technology-related credential to earn such accreditation, making it the Gold Standard within the information security industry. Th e CISSP is an invaluable tool that independently validates a candidate’s expertise in developing information security policies, standards, and procedures as well as managing implementation across the enterprise. Th e Offi cial (ISC)2 Guide to the CISSP CBK is the only document that addresses all of the topics and subtopics contained in the CISSP CBK. Th e authors and edi- tor of this new, comprehensive edition have provided an extensive supplement to the CBK review seminars that are designed to help candidates prepare for CISSP certifi cation. Earning your CISSP is a deserving achievement and makes you a member of an elite network of professionals that enjoy such benefi ts as access to leading industry con- ference registrations worldwide, access to a Career Center with current job listings, subscription to (ISC)2’s members-only digital magazine—InfoSecurity Professional, a “live” help desk to address your questions and issues, and much more. You will also be a member of a highly respected organization that is constantly working to raise the profi le of the profession through community goodwill programs such as children’s security awareness programs, an information security career guide for high-school Foreword ◾ ix and college-aged students, and academic scholarships for students researching new techniques and theories in the fi eld. We wish you success in your journey to becoming a CISSP. W. Hord Tipton International Information System Security Certifi cation Consortium, Inc.